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REMARKS 

This Application has been carefully reviewed in light of the Final Office Action 
mailed February 22, 2006. In order to advance prosecution of this case, Applicants amend 
Claims 1, 10-12, and 14. Applicants previously canceled Claims 2-3, 6-7, and 18-19 without 
prejudice or disclaimer. Applicants respectfully request reconsideration and favorable action 
in this case. 

Section 102 Rejections 

The Examiner rejects Claims 1, 4-5, and 10-17 under 35 U.S.C. § 102(b) as being 
anticipated by U.S. Patent No. 5,398,196 issued to Chambers (' 'Chambers"). Applicants 
respectfully traverse this rejection. Nonetheless, for the purposes of advancing prosecution, 
Applicants amend 1, 10-12, and 14 to further clarify the claimed invention. As amended, 
Claim 1 recites: 

A method of detecting viral code in subject files, comprising: 

creating an artificial memory region spanning one or more components 
of the operation system; 

creating a custom version of an export table, wherein the custom 
version of the export table is associated with a plurality of entry points and 
wherein the entry points comprise predetermined values; 

emulating execution of at least a portion of computer executable code 
in a subject file; 

monitoring operating system calls by the emulated computer 
executable code; 

identifying a type of operating system call that the emulated computer 
executable code attempted to access; and 

deciding, based on the type of operating system call identified, whether 
the emulated computer executable code comprises viral code. 

Chambers fails to recite, expressly or inherently, every element of amended Claim 1 
for at least several reasons. First, Chambers fails to disclose "identifying a type of operating 
system call that the emulated computer executable code attempted to access." Second, 
Chambers also fails to disclose "deciding, based on the type of operating system call 
identified, whether the emulated computer executable code comprises viral code." Thus, as 
described further below, Chamber fails to recite every element of amended Claim 1. 

First, Chambers fails to disclose "identifying a type of operating system call that the 
emulated computer executable code attempted to access." The cited portion of Chambers 
states only that "the monitor program examines a list of operating system entry points to 
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determine if any have changed as a result of the instruction just emulated" and that "[i]f there 
is such a change, then it is logged at block 820." Col. 9, 11. 21-23, 25-26. Chamber does not, 
however, disclose "identifying a type of operating system call that the emulated computer 
executable code attempted to access" (emphasis and underlining added) as recited by Claim 
1. 

Second, Chambers also fails to disclose "deciding, based on the type of operating 
system call identified, whether the emulated computer executable code comprises viral code." 
The only decision made by the monitoring module described in the cited portion of Chambers 
is whether "any [operating system entry points] have changed as a result of the instruction 
just emulated." Col. 9, 11. 22-23. Moreover, as noted above, Chambers fails to disclose 
identifying a type of operating system call. Thus, Chambers also fails to disclose "deciding, 
based on the type of operating system call identified, whether the emulated computer 
executable code comprises viral code" as recited by Claim 1 . 

As a result, Chambers fails to recite, expressly or inherently, every element of 
amended Claim 1. Claim 1 is thus allowable for at least these reasons. Applicants 
respectfully request reconsideration and allowance of amended Claim 1 and its dependents. 

Although of differing scope from Claim 1, Claims 10-12 and 14 include elements 
that, for reasons substantially similar to those discussed with respect to Claim 1, are not 
recited expressly or inherently by Chambers. Claims 10-12 and 14 are thus allowable for at 
least these reasons. Applicants respectfully request reconsideration and allowance of Claims 
10-12 and 14, and their respective dependents. 

Additionally, many of the dependents of Claim 1 include other elements that are also 
not disclosed in the cited reference. For example, Claim 5 as amended recites: 
The method of claim 1, further comprising: 

monitoring accesses by the emulated computer executable code to the 
artificial memory region to detect looping; and 

determining based on a detection of looping whether the emulated 
computer executable code is viral. 

Chambers fails to recite, expressly or inherently, additional elements of amended 
Claim 5. Chambers fails to disclose "monitoring accesses by the emulating computer 
executable code to the artificial memory region to detect looping." The portion of Chambers 
cited by the Examiner in rejecting this claim discloses use of a guinea pig file to determine 
whether certain viral code displays replicative behavior. Col. 10, 11. 40-43. While the cited 
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portion of Chambers references "recursion," it describes recursively executing the emulation 
process and merely discusses terminating emulation if viral behavior by the target program is 
confirmed while recursively executing the emulation. Chambers does not disclose 
"monitoring accesses by the emulating computer executable code to the artificial memory 
region to detect looping" as recursion is assumed to be part of this process. 

Chambers also fails to disclose "determining based on a detection of looping whether 
the emulated computer executable code is viral." The cited portion of Chambers describes a 
process for determining whether a virus has corrupted the interrupt handlers of a computer 
system. More specifically, the system in Chambers emulates execution of a target program, 
and then accesses a first "guinea pig file" to determine if execution of the target program has 
corrupted the interrupt handlers. Col. 9, 11. 44-48; col. 9, 11. 61-64; col. 10, 11. 7-10. 
Following access of the first guinea pig file, the system determines whether any unauthorized 
modification of the first guinea pig file has occurred, i.e. whether block 960 of FIG. 9 has 
been reached. Col. 10, 11. 10-23. If so, the described system of Chambers may further test 
the replicative nature of the virus initiated by the target program, by executing the first guinea 
pig file and then accessing a second guinea pig file. Col. 10, 11. 32-40. Following access of 
the second guinea pig file, the system determines whether any unauthorized modification of 
the second guinea pig file has occurred, i.e. whether block 960 has been reached again. In 
other words, "if block 960 is reached during the second level of emulation, viral behavior is 
confirmed and the second level of emulation is terminated." Col. 10, 11. 43-50. Thus, the 
system of Chambers determines whether viral behavior has occurred based on whether a first 
file exposed to unauthorized modification will cause unauthorized modification of other files 
if the first file is later executed. Chambers does not however disclose "determining based on 
a detection of looping whether the emulated computer executable code is viral" as recited by 
amended Claim 5. 

As a result, Chambers fails to recite, expressly or inherently, at least these additional 
elements of Claim 5. Thus, for at least these additional reasons, Claim 5 is allowable. As 
noted above, Applicants respectfully request reconsideration and allowance of amended 
Claim 5, as noted above. 

Although of differing scope from Claim 5, amended Claim 1 7 includes elements that, 
for reasons substantially similar to those discussed with respect to Claim 5, are not disclosed 
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by the cited reference. Claim 17 is thus allowable for at least these reasons. Applicants 
respectfully request reconsideration and allowance of amended Claim 17, as noted above. 

Section 103 Rejections 

The Examiner rejects Claims 8, 9, and 20 under 35 U.S.C. § 103(a) as being 
unpatentable over Chambers in view of U.S. Patent No. 5,974,549 issued to Golan 
("Golan"). Claims 8 and 9 depend from Claim 1, while Claim 20 depends from Claim 14. 
Claims 1 and 14 have been shown above to be allowable. Claims 8, 9, and 20 are thus 
allowable for at least these reasons. Applicants respectfully request reconsideration and 
allowance of Claims 8, 9, and 20. 
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Conclusions 

Applicants have made an earnest attempt to place this case in condition for allowance. 
For the foregoing reasons, and for other reasons clearly apparent, Applicants respectfully 
request full allowance of all pending Claims. If the Examiner feels that a telephone 
conference or an interview would advance prosecution of this Application in any manner, the 
undersigned attorney for Applicants stands ready to conduct such a conference at the 
convenience of the Examiner. 

No fees are believed to be due, however, the Commissioner is hereby authorized to 
charge any fees or credit any overpayments to Deposit Account No. 02-0384 of Baker Botts 
L.L.P. 

Respectfully submitted, 
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